Doug Johnson (Blue Skunk Blog) wrote a wonderful article–Computing in the Clouds–using GoogleApps in Education, then followed up with a blog post about a reader comment in Learning and Leading with Technology magazine.
In that blog post, he makes the following point after responding specifically to some assertions in the reader’s comment:
Unreasonable fears should not be an impediment to any technology adoption. Some risk, considered and acceptable, is a part of any change.
Deal with it.
But that’s the problem, isn’t it? These are not fears but the due diligence of a school district tasked with caring for children, as if they were the parent, during the time they have them available. As such, school districts have to ask questions that–to the best of my knowledge–GoogleApps for Education has FAILED to definitively answer in public.
You see, it doesn’t matter that GoogleApps for Education says to those who ARE using it. We don’t have access to that. Public school districts who are not shirking their duty–as perhaps those who run to embrace the elusive mist of the cloud without giving due diligence to these issues–will ask questions like this one. What am I referring to? The FERPA question I raised in an earlier blog entry on behalf of Robert Alford.
Question regarding staff members/school districts use of Google docs. What is your district’s stance regarding teachers/schools use of Google docs? Would signing up for a Google Apps for Education account and activating the SSL capabilities meet with FERPA laws?
An example: A teacher using Google forms/spreadsheet to keep track of parent contacts made and items discussed. Using Google docs the school’s administrative staff could have access to the information as the teacher complies the data. BUT because we are not in a contractual agreement with Google (as opposed to Fitness Gram or TMSDS) would this violate FERPA law?
So…until GoogleApps for Education comes out with an official policy statement for K-12 schools, a District’s response should be, “What’s out there just isn’t substantial enough.”
On a related note, some Googling of FERPA and GoogleApps for Education yielded the following inconclusive results:
IMPORTANT DISCLAIMER: By subscribing to a Gmail (SouthSeattle.edu Google Apps) account, you acknowledge that Google is not acting on behalf of South Seattle Community College and any e-mail transmission between you and College employees or others is subject to Google’s Gmail privacy statement on the use and disclosure of e-mail.Excluding students due to FERPA – Not possible
Does Gmail meet FERPA guidelines?
Google is contractually and legally responsible to protect information. Google will not share e-mail contents or personal information to outside parties.
Source: http://www.csuchico.edu/google/facultystaff.shtml#ferpaDiscussion in Mark Wagner’s blog about GoogleAPps and FERPA is mentioned in comments:
http://edtechlife.com/?p=2236Fascinating reading…
The question of Family Educational Rights and Privacy Act (FERPA) compliance was raised during
most sessions. Session attendees appeared to be comfortable with the typical subsequent discussion
pointing out that FERPA compliance is more a task of user behavior rather than infrastructure, and that
the features within Google Apps allow FERPA compliance.
The most significant issue may be with the ability of Google Apps to allow compliance with The Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Sessions were held at
Arizona Health Sciences Center (AHSC) as well as at the remote Phoenix Biomedical Campus (PBC).
The question of HIPAA compliance arose at both locations, although the most pointed comments were
made here in Tucson. Steven Wormsley, the head of college IT for the College of Medicine, was explicit
in expressing his doubts that Google would be HIPAA compliant, although without noting specific
issues. An attorney from the UA Office of General Counsel’s (OGC) Comstock satellite office was
present at one of the AHSC sessions. She appeared less worried about present compliance, but
informed us that the HIPAA rules would be updated as of February 2010, and might contain certain
aspects of required encryption that is not presently mandated. GIT anticipates that we would purchase
an optional but standard add-on for Google Apps, if we were to move faculty and staff into the Google
structure, that allows much more control over staff and faculty email. This add on, the Postini service,
would allow encryption of email data, as well as requirements such as ediscovery, mail rollback,
archiving, record retention, etc.
There is some precedence in regards to education and healthcare institutions determining that Google
Apps does allow HIPAA compliance. St. Louis University (SLU), a private school of approximately
13,000 students, has moved their faculty and staff to Google Apps. SLU has a comprehensive
healthcare program, including a College granting medical degrees, and running a 365-bed academic
teaching hospital. Their Compliance Office has determined that Google Apps meets HIPAA
requirements. See more at http://www.slu.edu/x22574.xml .
FERPA Issues
Google is contractually and legally responsible to protect information. A note is made that they are not obligated to be FERPA compliant — since Google itself is not required to be — but that they work with the institution to ensure their privacy needs are met. Northwestern feels that Google security is a contractual requirement that the institution must agree to (so should support their needs) and is better than what many institutions can provide.
Source: http://blog.vibrantjourney.com/2008/05/27/google-apps-for-education/
Subscribe to Around the Corner-MGuhlin.org
Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure
Discover more from Another Think Coming
Subscribe to get the latest posts sent to your email.
Another Think Coming 
How does the recent hacking of Google fit into this?http://www.wired.com/threatlevel/2010/01/operation-aurora/http://news.techworld.com/security/3210105/us-taking-china-google-hack-very-seriously/
How does the recent hacking of Google fit into this?http://www.wired.com/threatlevel/2010/01/operation-aurora/http://news.techworld.com/security/3210105/us-taking-china-google-hack-very-seriously/
Hi Miguel,For districts genuinely worried about violating FERPA, I would suggest they contact their district attorney.Again, to my knowledge, FERPA only applies to permanent records, not "desk drawer" records (daily work, quizzes, project assesments, etc.)I've read nothing by the National School Board Association or any other big organization warning school districts from using Google Apps nor have I read of any school district losing E-rate funds or any tech director being turned into a pillar of salt.If your fears were grounded, no ASP would useful to schools.All the best,Doug
Hi Miguel,For districts genuinely worried about violating FERPA, I would suggest they contact their district attorney.Again, to my knowledge, FERPA only applies to permanent records, not “desk drawer” records (daily work, quizzes, project assesments, etc.)I've read nothing by the National School Board Association or any other big organization warning school districts from using Google Apps nor have I read of any school district losing E-rate funds or any tech director being turned into a pillar of salt.If your fears were grounded, no ASP would useful to schools.All the best,Doug
It is pretty simple.When you open a Google Apps account you and Google enter into an agreement that Google will keep your data secure and you are the owner of your data. So the product itself is "FERPA compliant". However, the behaviors of your staff members may not be. Then again, they may not be with a word document either.This is a training problem, not an application problem.
It is pretty simple.When you open a Google Apps account you and Google enter into an agreement that Google will keep your data secure and you are the owner of your data. So the product itself is “FERPA compliant”. However, the behaviors of your staff members may not be. Then again, they may not be with a word document either.This is a training problem, not an application problem.
Henry,I agree. This seems like we are throwing the baby out with the bathwater.If your district doesn't want you to store school information on Google Docs/Forms/Spreadsheets, they should just make that their local school policy.That has nothing to do with Google, really. There are other online places you could be storing things that districts might consider part of FERPA. It's up to each district to educate their own staff as to what they consider a violation and how to appropriately use Google APPS.What we are missing in this discussion is the value-added that Google apps have for students and instruction. If we disallow it for FERPA concerns, then we have just disabled these functionalities for all of our students.We all know how helpful collaborative writing can be(Google docs) or the power of surveys (Google forms) or the advantages of the ability to create a shared spreadsheet of research data or…..I could go on and on.I'm not trying to brush off these concerns, but I honestly think we cannot hold companies accountable for our own staff following our own guidelines.And we'd hold staff responsible just as we would if they posted private information on the wall in the hallway, or at the convenience store on the bulletin board, or sent it out in a mass email, etc.The 'what-ifs' limit our ability to envision the "what can be?" sometimes.
Henry,I agree. This seems like we are throwing the baby out with the bathwater.If your district doesn't want you to store school information on Google Docs/Forms/Spreadsheets, they should just make that their local school policy.That has nothing to do with Google, really. There are other online places you could be storing things that districts might consider part of FERPA. It's up to each district to educate their own staff as to what they consider a violation and how to appropriately use Google APPS.What we are missing in this discussion is the value-added that Google apps have for students and instruction. If we disallow it for FERPA concerns, then we have just disabled these functionalities for all of our students.We all know how helpful collaborative writing can be(Google docs) or the power of surveys (Google forms) or the advantages of the ability to create a shared spreadsheet of research data or…..I could go on and on.I'm not trying to brush off these concerns, but I honestly think we cannot hold companies accountable for our own staff following our own guidelines.And we'd hold staff responsible just as we would if they posted private information on the wall in the hallway, or at the convenience store on the bulletin board, or sent it out in a mass email, etc.The 'what-ifs' limit our ability to envision the “what can be?” sometimes.
To Henry:You said it! Most "technology problems" happen when people do DUMB THINGS.Kudos to Miguel for raising the issue and reminding everyone to give periodic, due consideration to FERPA.BobBl
To Henry:You said it! Most “technology problems” happen when people do DUMB THINGS.Kudos to Miguel for raising the issue and reminding everyone to give periodic, due consideration to FERPA.BobBl
Great issue, Miguel – love the legal topics. @doug0077 – if you just send it to your district attorney … they'll say not to use it because that is the easy legal way out and ensures that they keep their job too! (even if that's not the best educational option). Also, FERPA can not be so easily broken down into "permanent v. desk drawer" – it's more complex and some Google Docs would assuredly be educational records. The issue here is bigger than Google, it is the cloud in general (i.e. any storage of educational materials on servers not owned and controlled by the school). Google is just the biggest cloud purveyor, but all the other cloud tools would have a similar issue so we need to get this figured out (I probably need to write an article on it – Miguel, want to help with that?). However, I'm not convinced there is a FERPA issue yet (this is not legal advice, even though I am a lawyer). FERPA is not a law that was really built for this purpose. It was built for paper records and most of the cases that are out there are paper in nature. Also, FERPA doesn't seem as concerned about e-discovery access as it does non-parental access in real time – and the cloud would seem to me to have more issues with the former than the latter.On top of all that, FERPA doesn't really carry a big stick. Worst case it would seem to me is that a parent files a complaint with the DOE, the DOE could investigate, and the DOE could tell you to stop using it. But, as of now, the DOE has NEVER pulled the funding (their only remedy) because of school FERPA violations. If they haven't pulled the funding even in extreme cases where the intent of FERPA was clearly being violated, I highly doubt they would pull the funding on this very complex and legally gray issue. But, let's say you are a big district that wants to make the switch and is worried about it … just ask the DOE for an opinion on the matter! They will provide guidance on the matter and if they don't, at least you can say you asked them first but didn't get a response. The wrong reaction is to stop implementation of a tool that could help kids because you THINK there might be a legal issue, but really don't know. Don't let the law get in the way of learning! If your lawyers don't want to help you build for learning, get new lawyers. Ask – if no one answers – implement – if someone raises concerns – apologize. There is enough administrative discretion built into the law that it is only the rare circumstance where the Courts or the Fed slap people's hand enough for them to be fired.
Great issue, Miguel – love the legal topics. @doug0077 – if you just send it to your district attorney … they'll say not to use it because that is the easy legal way out and ensures that they keep their job too! (even if that's not the best educational option). Also, FERPA can not be so easily broken down into “permanent v. desk drawer” – it's more complex and some Google Docs would assuredly be educational records. The issue here is bigger than Google, it is the cloud in general (i.e. any storage of educational materials on servers not owned and controlled by the school). Google is just the biggest cloud purveyor, but all the other cloud tools would have a similar issue so we need to get this figured out (I probably need to write an article on it – Miguel, want to help with that?). However, I'm not convinced there is a FERPA issue yet (this is not legal advice, even though I am a lawyer). FERPA is not a law that was really built for this purpose. It was built for paper records and most of the cases that are out there are paper in nature. Also, FERPA doesn't seem as concerned about e-discovery access as it does non-parental access in real time – and the cloud would seem to me to have more issues with the former than the latter.On top of all that, FERPA doesn't really carry a big stick. Worst case it would seem to me is that a parent files a complaint with the DOE, the DOE could investigate, and the DOE could tell you to stop using it. But, as of now, the DOE has NEVER pulled the funding (their only remedy) because of school FERPA violations. If they haven't pulled the funding even in extreme cases where the intent of FERPA was clearly being violated, I highly doubt they would pull the funding on this very complex and legally gray issue. But, let's say you are a big district that wants to make the switch and is worried about it … just ask the DOE for an opinion on the matter! They will provide guidance on the matter and if they don't, at least you can say you asked them first but didn't get a response. The wrong reaction is to stop implementation of a tool that could help kids because you THINK there might be a legal issue, but really don't know. Don't let the law get in the way of learning! If your lawyers don't want to help you build for learning, get new lawyers. Ask – if no one answers – implement – if someone raises concerns – apologize. There is enough administrative discretion built into the law that it is only the rare circumstance where the Courts or the Fed slap people's hand enough for them to be fired.